Because the network for three special permission to explain the content is too short, I did not see it before the end of the tutorial to understand, write a summary after their own tests so that others can easily understand
1 SOUTH
Premise: SUID file for a function and what are the limitations
Only executable file to set permissions SetUID, set on a directory SUID, is invalid.
Users want to have x (execute) permissions on the file.
User when the file is executed, it will run as owner of the file.
SetUID permission is only valid during the execution of the file, once finished, the identity of the switching disappeared.
1.1 method permissions
1.1.1 letter setting method
chmod u + s filename to add SUID permissions
chmod us SUID permission to delete the file name
1.1.2 Digital Set law
chmod 4 755 filename
Examples 1.2 passwd
passwd command is used to modify the command linux system password. The system can be used by all users.
The behavior of passwd command to change the password is achieved by modifying the / etc / shadow file.
take a look at the permissions passwd
[root@linuxprobe ~]# cd /bin
[root@linuxprobe bin]# ls -l passwd
-rwsr-xr-x. 1 root root 27832 Jan 30 2014 passwdYou can see the first 4 is S, represents the SUID permissions, any ordinary user can modify his own password in this case (root can change the password for all users)
[user1@linuxprobe Desktop]$ passwd
Changing password for user user1.
Changing password for user1.
(current) UNIX password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.user1 user password change is successful, if the passwd SUID permission to remove what will happen then?
[root@linuxprobe bin]# chmod u-s passwd
[root@linuxprobe bin]# ll passwd
-rwxr-xr-x. 1 root root 27832 Jan 30 2014 passwdWe change user1 password again
[user1@linuxprobe Desktop]$ passwd
Changing password for user user1.
Changing password for user1.
(current) UNIX password:
New password:
Retype new password:
passwd: Authentication token manipulation errorAlthough the user has permission to execute the passwd command, but without modifying / etc / shadow file permissions, so the final password change fails
ordinary users run the passwd command passwd is the main process of the system created by default as "program sponsors" to the passwd the owner
and the owner is passwd root, so the average user is in fact using root authority to modify the / etc / shadow file. Finally passwd command execution ends, passwd process is closed.
2、SGID
SGID achieve the following two main functions:
1. Let performer temporary permission to have is a group of (effective for binary program have execute permissions)
2. files created in its directory automatically inherit the directory user group
2.1 method permissions
2.1.1 letter setting method
chmod -R g + s filename to add SGID permissions
chmod -R gs SGID permission to delete the file name
2.1.2 Digital Set law
chmod 2 777 filename
2.2 Examples
[root@linuxprobe Desktop]# ls -ld sgidd/
drwxrwxrwx. 2 root root 6 Jul 17 22:21 sgidd/
[root@linuxprobe Desktop]# chmod 2777 sgidd/
[root@linuxprobe Desktop]# ls -ld sgidd/
drwxrwsrwx. 2 root root 6 Jul 17 22:21 sgidd/First SGID permissions for the folder to add
[user1@linuxprobe sgidd]$ touch file1
[user1@linuxprobe sgidd]$ mkdir file2
[user1@linuxprobe sgidd]$ ll
total 0
-rw-rw-r--. 1 user1 root 0 Jul 17 22:36 file1
drwxrwsr-x. 2 user1 root 6 Jul 17 22:36 file2Switching ordinary users, create a file and directory in the directory. We can see two files are created automatically inherit your group SGID folders and directories created automatically added SGID permission.
3, SBIT
SBIT role:
When a directory is set SBIT rights to the files in the directory can only be executed delete its owner, can effectively prevent malicious damage to other persons.
3.1 method permissions
3.1.1 letter setting method
chmod -R o + t added to their names SGID permissions
chmod -R ot SGID permission to delete the file name
3.1.2 Digital Set law
chmod 1 777 filename
3.2 Examples
[root@linuxprobe Desktop]# mkdir sbitd
[root@linuxprobe Desktop]# chmod 1777 sbitd/
[root@linuxprobe Desktop]# ls -ld sbitd/
drwxrwxrwt. 2 root root 6 Jul 17 23:23 sbitd/
[root@linuxprobe Desktop]# Create a directory with permissions SBIT
[user1@linuxprobe sbitd]$ mkdir test
[user1@linuxprobe sbitd]$ ls -ld test
drwxrwxr-x. 2 user1 user1 6 Jul 17 23:29 testUser1 switch users, create a directory test
[user2@linuxprobe sbitd]$ rm -rf test
rm: cannot remove ‘test’: Operation not permittedSwitching user2 user, delete the directory test, due SBIT, suggesting not allowed to operate.